Overview
overview
10Static
static
100A6172B017F62EAA.exe
windows7-x64
100A6172B017F62EAA.exe
windows10-2004-x64
102891E1D4BAC70EBA.exe
windows7-x64
102891E1D4BAC70EBA.exe
windows10-2004-x64
103472CB2D1AB89AAB.exe
windows7-x64
103472CB2D1AB89AAB.exe
windows10-2004-x64
10613788884CE0093F.exe
windows7-x64
10613788884CE0093F.exe
windows10-2004-x64
107189AED8B8AE6568.exe
windows7-x64
107189AED8B8AE6568.exe
windows10-2004-x64
10CC3B1F89FAA517E4.exe
windows7-x64
10CC3B1F89FAA517E4.exe
windows10-2004-x64
10F5657AC3DC58DC8C.exe
windows7-x64
10F5657AC3DC58DC8C.exe
windows10-2004-x64
10General
-
Target
0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c.zip
-
Size
562KB
-
Sample
241202-fnq3va1ka1
-
MD5
be8d17952bcdf0bac1696e7f9d4fc337
-
SHA1
902f122bf960a82331505e82c143af91424db1fd
-
SHA256
0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c
-
SHA512
79aea791aa8a43ae88bbb27501f09f16b6f63165481b4faa7357a3f037b59a012ec0444954df41f39eadcc02a1d77d34d17eafaad46b55b023e52f61e0950e84
-
SSDEEP
12288:7Mgw/UcFZJP2zC7ttD0ZgDn/rvPxemsMgw/UUZJP2z/jrEL0cAB3:7M2cF2zQpCgnc/M2U2znELHAB3
Behavioral task
behavioral1
Sample
0A6172B017F62EAA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0A6172B017F62EAA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
2891E1D4BAC70EBA.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2891E1D4BAC70EBA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
3472CB2D1AB89AAB.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
3472CB2D1AB89AAB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
613788884CE0093F.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
613788884CE0093F.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
7189AED8B8AE6568.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
7189AED8B8AE6568.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
CC3B1F89FAA517E4.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
CC3B1F89FAA517E4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
F5657AC3DC58DC8C.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
F5657AC3DC58DC8C.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\ProgramData\biobio ransmoware.txt
Extracted
C:\ProgramData\biobio ransmoware.txt
Extracted
C:\ProgramData\biobio ransmoware.txt
Extracted
C:\ProgramData\biobio ransmoware.txt
Extracted
C:\ProgramData\biobio ransmoware.txt
Extracted
C:\ProgramData\biobio ransmoware.txt
Extracted
C:\ProgramData\biobio ransmoware.txt
Targets
-
-
Target
0A6172B017F62EAA.exe
-
Size
137KB
-
MD5
b556893d6f0219bb98468f724aeb06cf
-
SHA1
540d6c29aa4a05564da6bf253fc46fc8793277f1
-
SHA256
a75d6bf3c8cf0fc45b368bd83200d141319c9c67033803a230bd3451a309edff
-
SHA512
3a9c8477dfec35af9e682e197c76a1c1e341cdd4f4c276d1c18beac9ff5b53da394eac8428e66921369a607cd75c2fb7e430466758df508d6974e59f7f901ae9
-
SSDEEP
3072:MLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hn2bIoKb:MstYrEMw6Bxk5zOFNtgJiCUb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9111) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
2891E1D4BAC70EBA.exe
-
Size
137KB
-
MD5
c04dadf78f2813750900fa54863fb2b7
-
SHA1
8575e9d6f980b53ea13c37053aa2d55691bfe3e0
-
SHA256
207a249e3c4359548b9ff264cac31d09c95d626d0e4835c081d8afbb732bac4f
-
SHA512
20baf3958a55df7fe0196d300809afd2c4d4408c4e08db21f5ed6a1b6d21fcb09eea081813cf2b5ba60d745f745db043d2d2d9132da3ea565306402247b43372
-
SSDEEP
3072:GLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hv2bIoKb:GstYrEMw6Bxk5zOFNtgJKCUb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9098) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
3472CB2D1AB89AAB.exe
-
Size
137KB
-
MD5
cdb5b9402d4db31b15abd8dd2eb1947d
-
SHA1
912c9ac3addd53685b3409c46dcb73946a74ecd3
-
SHA256
ba6a4d65b25c86faa7179d1aa3db48c2fc445e393d1b8c0035dbd81d27b93d54
-
SHA512
50280c0dc4e6d2709d2f18ff77134e029d1a123a5fcb173fab5fc4cd164b64d5b168b6286f39f6d5be7b0dcd140550692963d4fd08577a79682a833d6a6f8619
-
SSDEEP
3072:PLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hj2bIoKb:PstYrEMw6Bxk5zOFNtgJOCUb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9083) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
613788884CE0093F.exe
-
Size
137KB
-
MD5
0b6d033622c9ff929e98c5ef7e2f8860
-
SHA1
ece019cdcbfab97462461585c58a5cf62bc5deb6
-
SHA256
ecd80e30e6bae14ca7c1198e430651aa297e01361a0508acef591adc0d50159b
-
SHA512
a5308bab575e87825cef01ae01ed8da84e1d42e588509b7bda1e8f4ffadc5fcbb39b9c5d6a331d508d74c12ba077cb303706537cb15662076a1fde86106b73e6
-
SSDEEP
3072:hLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8h32bIoKb:hstYrEMw6Bxk5zOFNtgJ6CUb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9083) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
7189AED8B8AE6568.exe
-
Size
137KB
-
MD5
ff7559d2160f6732056ff5a19722e69a
-
SHA1
aed67bf0c6e521fc552cbb4afe24a1c2eb286da7
-
SHA256
c2fc050f33d51d5560da425d137ef1e318f16fe5d49ee894327e33c3e12755e3
-
SHA512
020825f085dc4b08f2454be5425cd937a1f146843b76b445c6d5993d0581fedf93f84742e64b2abe986a8d5803a62a597962a04821488dea771c5354b6dfda10
-
SSDEEP
3072:oLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hb2bIoKb:ostYrEMw6Bxk5zOFNtgJGCUb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (11272) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
CC3B1F89FAA517E4.exe
-
Size
137KB
-
MD5
4aed4c0e78d355e497f2cc509ff078b5
-
SHA1
31a2ccfd5a679d2badc5fb66f243d4887d9ca444
-
SHA256
ed4e298040946a3be24dcde8303216644c2d2b78444bb1c9bfc7d17c748aeaa5
-
SHA512
bb251af369bd2662caef94ee96147439a75307dbfc30e2b2a63fad75af597e7981c41daec8cedb4326fb0243abbce2b681153380ccec79a38095022b85d4a804
-
SSDEEP
3072:CLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hv2bIoKb:CstYrEMw6Bxk5zOFNtgJSCUb
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
F5657AC3DC58DC8C.exe
-
Size
177KB
-
MD5
7bec4faccd4b6485d70a5bb46453ed65
-
SHA1
e001ad39f7269e5fca76154477e7708b8d729a4b
-
SHA256
787798eea28e8ea672f3cbfe9ec2ca4460098b491031eab0f8c30b7080f5eb00
-
SHA512
3deaabc3519eeb1eba3953c2054451f2fa6cfe3f297c643cb29b9017a43d5a43d8dafea5107b0dfe412917932ce40857c0f942e791f76ab8afa5bf4c310b8e37
-
SSDEEP
3072:sr85CDzbFk58x+o+EFz9/t2f65q8hPBJ2bIoKbwLIQ8YzXEMZK1A2W:k9vxk5zOFNtgJmBJCUbwstYrEMw63
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9067) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1